A disgruntled IT administrator deleted multiple virtual hosts at Japanese pharmaceutical firm Shionogi causing several days of havoc and damages and highlighting the persistent danger of insider threats.
A former IT professional at
the United States subsidiary of Japanese pharmaceutical firm Shionogi pleaded
guilty on Aug. 16 to charges of computer intrusion. The former employee, Jason
Cornish, faces a maximum of 10 years in prison when he is sentenced in
This is just the latest case
that illustrates how enterprises fail to guard the security
of corporate networks and data stores after key IT professionals
leave the company, especially employees who are unhappy about layoffs, corrupt
or just plain malicious.
Cornish left the firm in
July 2010 after a dispute with a senior manager, but at the suggestion of a
colleague, referred to as B.N. in court documents filed June 30 in the U.S.
District court for the State of New Jersey, continued working for Shionogi as a
contractor because of his familiarity with the company's network. During a
round of layoffs, "B.N." refused to hand over network passwords to
company executives and was summarily suspended and ultimately fired in
September 2010. B.N.'s departure meant Cornish's contract was also terminated,
and he was no longer authorized to access Shionogi's network.
Even so, Cornish allegedly
attempted to access Shionogi's computer systems on over 20 occasions and in January,
managed to install VMWare's VSphere virtualization management console software
without the company's consent or knowledge.
On Feb. 13, Cornish logged
into the network and used the VSphere software to delete the contents of 15
virtual hosts, roughly equivalent to 88 different computer servers, according
to the complaint.
The attacks were severe
enough to freeze Shionogi's operations for "a number of days, leaving
employees unable to ship products, to cut checks or even communicate via email,"
according to court documents. The breach affected Shionogi's corporate email, BlackBerry
servers, order-tracking system and financial management software. The company
estimated the damage cost $800,000.
The breach "is a great
example of how vulnerable virtualization infrastructure and the cloud can
be," Eric Chiu, founder and president of HyTrust, a vendor of
virtualization and security products for VMware environments, told eWEEK.
Critical systems were virtualized
without the proper automated controls in place that could have detected what
was happening in time for the company to stop him, Chiu said.
Cornish launched his
devastating attack off the free public WiFi hotspot at a local McDonald's in
Smyrna, Ga. Authorities were able to trace the attacking IP address back to the
McDonald's and located Cornish, thanks to the $4.96 charge on his Visa credit card
just five minutes earlier.
Insider threats are on the
rise, whether they come from malicious employees, data leaks such as WikiLeaks
or operational mistakes, Chiu said. In fact, in a recent NetIQ survey of 200
security executives, 72 percent claimed to have experienced insider data theft
at least once in the past two years. Insider attacks could also take more than
45 days to contain, according to HP's cost of cyber-crime
report released earlier
People leave jobs all the
time and most of them would "never dream" of logging back into their
former employers' network, Graham Cluley, a senior technology consultant at
Sophos, wrote on the Naked Security
blog. Even so,
organizations should make sure defenses are in place, passwords changed and
former employee access revoked. "It only takes one bad apple to wreak
havoc," Cluley said.
IT staff should also be
regularly reviewing the user database to ensure all the users are legitimate
and current, Cluley said.
Insider threats are some of
the most damaging kinds of
since organizations tend to focus on outsiders trying to break in, not on
monitoring what employees are doing inside the network. Advocates of the zero-trust security model
point out that assuming
whoever is inside the network is trustworthy is a fallacy.
Earlier this month, Citigroup
information of about 92,400 customers was illegally obtained and sold to a
third party from its credit card unit in Japan. It turned out the unit
outsourced a part of its business to another company and an employee of that
company had stolen the data.
In July, a 10-year employee
of CME Group was accused of stealing trade secrets and proprietary source code
used to run trading systems for the Chicago Mercantile Exchange, according to a
criminal complaint filed in that case.
In April, a former network
engineer at Gucci America
was indicted on charges of
illegally accessing the company's servers and deleting documents after he was
fired. Gucci estimated $200,000 in lost sales, diminished productivity, and restoration
and remediation expenses. The former employee took the USB-token device used to
access the corporate VPN network with him when he was fired and used it to continue
accessing the network.